fix: warn when TUF fetching of keys fails (#8080)

![example screenshot showing the new logging message being displayed](https://github.com/user-attachments/assets/51474264-0d19-4cb7-bb67-2641fcd27968)
npm · Feb 3, 2025 · 41417de · 41417de
1 parent 593c849
commit 41417de
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/lib/utils/verify-signatures.js b/lib/utils/verify-signatures.js
@@ -192,6 +192,7 @@ class VerifySignatures {
 
     // If keys not found in Sigstore TUF repo, fallback to registry keys API
     if (!keys) {
+      log.warn(`Fetching verification keys using TUF failed.  Fetching directly from ${registry}.`)
       keys = await npmFetch.json('/-/npm/v1/keys', {
         ...this.npm.flatOptions,
         registry,

diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
@@ -940,7 +940,7 @@ t.test('audit signatures', async t => {
   })
 
   t.test('with key fallback to legacy API', async t => {
-    const { npm, joinedOutput } = await loadMockNpm(t, {
+    const { logs, npm, joinedOutput } = await loadMockNpm(t, {
       prefixDir: installWithValidSigs,
     })
     const registry = new MockRegistry({ tap: t, registry: npm.config.get('registry') })
@@ -952,6 +952,7 @@ t.test('audit signatures', async t => {
 
     t.notOk(process.exitCode, 'should exit successfully')
     t.match(joinedOutput(), /audited 1 package/)
+    t.match(logs.warn, ['Fetching verification keys using TUF failed.  Fetching directly from https://registry.npmjs.org/.'])
     t.matchSnapshot(joinedOutput())
   })